John Potter

Posted on Oct 6, 2023

Locking Down Proprietary Apps with Aqua Trivy: Your Go-To Guide for Container Security

#aquatrivy #containers #security

Ever worry about the security of your containerized apps? You're not alone. Container security is a big deal—no ifs, ands, or buts about it. As more companies adopt containerized apps, the stakes for security rise.

Think of it this way: would you leave your front door unlocked in a busy neighborhood? Didn't think so. Aqua Trivy is the deadbolt you need. It's designed to spot vulnerabilities in your container images, making sure the bad guys stay out while your apps run smoothly.

Scanning Your First Container
Setting Up Your Environment
Integrating Aqua Trivy into Kubernetes
Creating Security Policies
Alerts and Monitoring
Best Practices
Conclusion

Scanning Your First Container

Let's get right into scanning your first container with Aqua Trivy. This guide will walk you through running a sample scan and interpreting the results.

Run a sample scan.

First, you'll need to install Trivy if you haven't already. Open up your terminal and run:

$ curl -sfL https://aquasecurity.github.io/trivy-repo/deb/trivy.asc | sudo apt-key add -
$ sudo add-apt-repository 'deb https://aquasecurity.github.io/trivy-repo/deb/ release main'
$ sudo apt-get update
$ sudo apt-get install trivy

Now that Trivy is installed, let's run a scan on a sample container image. We'll use the alpine image for this example.

$ trivy image alpine:latest

What the results mean.

Once you run the scan, you'll see a list of potential vulnerabilities. The output will look something like this:

2021-10-06T23:58:52.337Z        INFO    Detecting Alpine vulnerabilities...
2021-10-06T23:58:52.343Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected

alpine:latest (alpine 3.14.0)
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

The Total line at the bottom gives you a summary. It tells you the total number of vulnerabilities and breaks it down by severity: UNKNOWN, LOW, MEDIUM, HIGH, and CRITICAL.
UNKNOWN: Trivy couldn't determine the severity.
LOW: Minor issues, but check them out anyway.
MEDIUM: You should probably take a look.
HIGH: Yeah, you'll want to address these.
CRITICAL: Drop everything and fix these now.

That's it! You've successfully run your first scan with Aqua Trivy and learned how to interpret the results. Keep your containers secure and your apps running smooth

Integrating Aqua Trivy into Kubernetes

Now that you know how to scan a container manually, let's level up. The real magic happens when you integrate Aqua Trivy directly into your Kubernetes setup. This means every new container gets checked for vulnerabilities automatically before it hits production. Let's dive into how to make that happen

Step-by-step guide.

Install Aqua Trivy on your system if you haven't already.

sudo apt-get install trivy

Set up RBAC permissions for Trivy in your Kubernetes cluster.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: trivy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: trivy
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: trivy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: trivy
subjects:
  - kind: ServiceAccount
    name: trivy
    namespace: default

Run the Trivy scanner as a Kubernetes job.

kubectl apply -f trivy-job.yaml

Check the logs for the scanning results.

kubectl logs job/trivy-scan

Common Issues and Fixes

Issue: Trivy can't pull the image.
Fix: Make sure the image name and tag are correct. Check if Kubernetes has access to the Docker registry.
Issue: Permission errors in the logs.
Fix: Make sure the RBAC permissions were set up correctly. Try running the RBAC YAML file again.
Issue: Trivy scanner times out.
Fix: This could be because of network issues or if you're scanning a large image. Increase the timeout value in the Trivy configuration.

And that's it! You've successfully integrated Aqua Trivy into your Kubernetes cluster. Now you can automate your container security scans and sleep a little better at night

Creating Security Policies

Now that you've got Aqua Trivy up and running in your Kubernetes cluster, let's make it really work for you. In this next section, we'll dive into how to create security policies. These policies are your rulebook for what's allowed and what's not, helping you catch vulnerabilities before they become headaches. First, let's set some ground rules

How to set rules in Aqua Trivy.

Setting rules in Aqua Trivy will help you define what kind of vulnerabilities you want to catch and flag.

Open the Aqua Trivy Dashboard:

open http://your-aqua-trivy-dashboard-url

Navigate to the Policies Section:

On the left sidebar, click on "Policies."

Create a New Policy:

Click the "Add Policy" button.

# In CLI
trivy policy --add your-policy-name

Define Your Rules

Here, you'll see various options for rules related to vulnerability severity, software licenses, etc. Choose the ones that fit your security needs.

# For example, flag only high-severity issues
trivy policy --severity HIGH

Save the Policy

Once you're happy with your settings, hit the "Save" button.

# In CLI
trivy policy --save

Test the Policy

To make sure everything's working as expected, run a test scan.

trivy policy --test your-policy-name

Common issues and fixes

Policy Not Working: If your policy doesn’t seem to be catching vulnerabilities, double-check your severity levels.
CLI Errors: Syntax errors in the CLI could mess things up. Always check your terminal output.

And there you have it! You've just set your security rules in Aqua Trivy. This is your first line of defense against sketchy stuff sneaking into your containers

Examples of good policies.

Creating a well-defined policy isn't just about setting a few rules; it's about understanding your environment and what you're looking to protect. Below are some examples of good policies that could serve as a baseline.

Strict Policy for Production

Flags: High and Critical vulnerabilities
Action: Block deployment

# Example CLI command
trivy policy --severity HIGH,CRITICAL --action block

Moderate Policy for Development

Flags: Medium, High, and Critical vulnerabilities
Action: Warn but allow deployment

# Example CLI command
trivy policy --severity MEDIUM,HIGH,CRITICAL --action warn

License-Compliance Policy

Flags: GPL-licensed packages
Action: Block deployment

# Example CLI command
trivy policy --license GPL --action block

Outdated Software Policy

Flags: Packages not updated in the last 180 days
Action: Warn but allow deployment

# Example CLI command
trivy policy --days 180 --action warn

Comprehensive Policy

Flags: Medium and above vulnerabilities, GPL licenses, outdated packages
Action: Block deployment

# Example CLI command
trivy policy --severity MEDIUM,HIGH,CRITICAL --license GPL --days 180 --action block

These are just templates, but they give you an idea of how to construct a policy that fits your specific needs. Tailor these to your environment, and you'll be in a solid position to keep things secure.

Alerts and Monitoring

Now that you've set up some solid policies with Aqua Trivy, how do you keep tabs on your container security? That's where alerts and monitoring come into play. This section will guide you through setting up real-time alerts and monitoring features, so you're always one step ahead of any security issues. Let's dive in.

How to set up alerts.

Setting up alerts in Aqua Trivy ensures that you're immediately notified of any vulnerabilities or policy breaches. Here's how to do it, step by step:

Log into the Aqua Trivy Dashboard

trivy login

Navigate to the Alerts section

cd /path/to/alerts

Create a New Alert Profile

trivy alert create --name "Critical Alert"

Set Alert Conditions

trivy alert condition set --severity "CRITICAL"

Add Notification Channel (e.g., Slack, Email)

trivy alert notify add --channel "slack" --url "your-slack-webhook-url"

Test the Alert

trivy alert test

Save and Enable Alert

trivy alert enable

By following these steps, you'll set up an alert profile that notifies you when a critical vulnerability is found.

Monitoring tools compatible with Aqua Trivy.

You're not limited to the built-in alerting system. Aqua Trivy is compatible with a range of monitoring tools, which allows for even more flexibility and customization. Here are some popular choices:

Prometheus

trivy monitor --tool "prometheus"

Grafana

trivy monitor --tool "grafana"

ELK Stack (Elasticsearch, Logstash, Kibana)

trivy monitor --tool "elk"

Choose a monitoring tool that aligns with your needs, and you can integrate it seamlessly with Aqua Trivy for an even more robust security setup

Best Practices

Next up, let's dive into some best practices. Knowing how to use Aqua Trivy is one thing, but using it effectively? That's the gold standard. This section lays down the do's and don'ts to keep your containers secure as a vault. Keep reading to get the most out of your Aqua Trivy setup.

Keep It Updated

Why It Matters: Security threats evolve. So should your tools.
How to Do It: Run regular updates to make sure you're using the latest Trivy version.

$ sudo apt-get update && sudo apt-get install trivy

Scan Early, Scan Often

Why It Matters: The earlier you catch vulnerabilities, the easier they are to fix.
How to Do It: Integrate Trivy into your CI/CD pipeline.

steps:
- name: Run Trivy vulnerability scanner
  run: trivy image YOUR_IMAGE_NAME

Set Smart Policies

Why It Matters: Not all vulnerabilities are created equal. Focus on what matters.
How to Do It: Use Trivy's policy files to set custom rules.

$ trivy policy --policyfile your-policy-file.json YOUR_IMAGE_NAME

Use Whitelists

Why It Matters: Some vulnerabilities might be false positives or irrelevant to your setup.
How to Do It: Use a whitelist file to ignore them.

$ trivy --whitelist whitelist-file.txt YOUR_IMAGE_NAME

Keep an Eye on Alerts

Why It Matters: Staying informed helps you react quickly.
How to Do It: Set up alert channels like email or Slack through Trivy.

$ trivy --alert-url YOUR_SLACK_WEBHOOK_URL YOUR_IMAGE_NAME

This isn't an exhaustive list, but it's a solid start. Stick to these best practices and you'll be well on your way to mastering container security with Aqua Trivy.

Conclusion

To wrap it up, Aqua Trivy isn't just another tool in your security arsenal—it's a must-have for anyone using Kubernetes. From scanning your first container to setting up smart policies and alerts, Trivy makes container security easier and more efficient. Stick to the best practices we've laid out here, and you're setting yourself up for a more secure, more reliable container environment

DEV Community